Collaborate and Diversify: Connectivity in the Digital Age

Transformation in the global telecoms ecosystem is gathering momentum. It is driven by evolving technologies, growing customer appetite for hyperconnectivity and a new breed of competitor.

In their quest for a place within this fast moving landscape, traditional telecoms companies will need to reinvent themselves and become more relevant to the digital age customer.

Collaboration and diversification will drive opportunities and growth, enabling providers to achieve speed and scale while transitioning to new, profit-enhancing activities.

Please click here to read more.

Leave a Comment

Filed under Digital, Technology, Telecommunications

Personalised Health and the Future of Pharma

Growing social and political pressures combined with disruptive technologies and scientific innovation are changing the way pharma companies do business.
In their mission to address unmet medical need and deliver differentiated products, pharma companies and other players in the sector are adapting their business models to deliver increased value. Three forces are converging to drive this change:

  • Personalised Healthcare – the personalisation of healthcare either to a specific individual or a group of patients
  • Precision medicine  – a medicine designed to be of optimised efficiency or therapeutic benefit for a specific individual or a group of patients
  • Smart Healthcare – use of technology to improve healthcare delivery or quality of life

Technological advancement underpins these forces,  with pharma companies increasingly partnering with non-traditional players such as tech giants and agile start-ups. As business leaders embark on this journey and look to capitalise on new opportunities, we explore some of the legal and commercial issues arising as pharma enters its most transformative era.

Please click here to read more.

Leave a Comment

Filed under Digital, Technology

Brexit Withdrawal Agreement: Impact for data protection

Following a UK Cabinet meeting on 14 November 2018, the UK Government has announced support for the text of a draft Withdrawal Agreement and an outline of the Political Declaration on the Future Relationship agreed with EU negotiators. The Withdrawal Agreement sets out the arrangements for the UK’s withdrawal from the EU on 29 March 2019 and includes a transition period through to 31 December 2020, during which EU law will continue to apply in and to the UK (the “Transition Period”). Data protection features in both the draft Withdrawal Agreement and the outline Political Declaration, reflecting the significance of the data protection rules to both the EU and the UK. Continue reading

Leave a Comment

Filed under Brexit, Data Protection & Privacy, Regulation, UK Law

Budget 2018: Investing in a rapidly evolving digital landscape

Advances in technology and changing business models are transforming the global economy across all industry sectors. The measures announced by the Chancellor in Monday’s Budget Speech showcase how the UK Government is seeking to embrace innovation and new and emerging technologies, to ensure the UK’s position as a leader in our evolving digital landscape.
In this bulletin we set out some of the key highlights from the Budget from a technology and digital perspective.

A vision for an economy driven by research and innovation

The Budget is stated to set out “a vision for an economy driven by research and innovation”. In particular:

  • The Chancellor announced a further £1.6 billion investment for R&D funding; with £1.1 billion providing additional funding to support the Industrial Strategy Grand Challenges and secure the “UK’s position as a world leader in new and emerging technologies such as artificial intelligence, nuclear fusion and quantum computing”.
  • The Government is also seeking to ensure businesses and consumers continue to benefit from these new technologies, including by asking Jason Furman, US President Barak Obama’s chief economic adviser, to lead a review of competition in the digital economy.
  • These efforts are further supported by the Government’s Modern Industrial Strategy; a key component of which is the National Productivity Investment Fund (NPIF), established in 2016 to provide additional capital investment in areas critical to productivity – namely digital infrastructure, R&D, housing and transport. The Budget extends the NPIF by an extra year to 2023-2024 and increases the fund to £37 billion.
  • The Budget sets out next steps for the rollout of full fibre broadband nationwide, which will see funding for fibre and 5G increase incrementally from £25 million in 2017-2018 up to £290 million in 2023 – 2024 through the NPIF.
  • The Government also proposes investments totalling £150 million in global artificial intelligence and future talent fellowships.

Continue reading

Leave a Comment

Filed under Brexit, Digital, Media & Entertainment, News, Regulation, Technology, Telecommunications, UK Law, Uncategorized

General Data Protection Regulation: first enforcement notice shows extra-territorial reach

The UK data protection regulator, the Information Commissioner’s Office (ICO), has issued its first enforcement notice under the EU’s new strict data protection law, the General Data Protection Regulation (679/2016/EU) (GDPR). The notice is particularly noteworthy because it has been issued against a company located in Canada, which does not appear to have any presence within the EU.

Not only is it the first extra-territorial notice issued by the ICO under the GDPR, but it is the first action ever taken by the ICO against an entity outside the UK. It is understood that the notice is being appealed. The extraterritorial reach of the GDPR is as yet untested and, without any regulatory guidance as to interpretation, how that appeal plays out may be an early indicator as to the issues that could arise in extra-territorial enforcement under the GDPR.

Click here for the full article.

Continue reading

Leave a Comment

Filed under Data Protection & Privacy, GDPR

Court of Appeal confirms Morrisons vicariously liable for employee’s deliberate actions in first successful UK class action for data breach

The Court of Appeal has today dismissed an appeal against the High Court’s decision that Morrisons was vicariously liable for its employee’s misuse of data, despite: (i) Morrisons having done as much as it reasonably could to prevent the misuse; and (ii) the employee’s intention being to cause reputational or financial damage to Morrisons itself: Wm Morrisons Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339 (click here for the Court of Appeal’s full judgement and click here for our summary of the High Court decision).

Summary implications for businesses

This case highlights the wide reach of data protection. An organisation can be liable for data breaches even if it has taken appropriate measures to comply with the data protection legislation itself, and even if it is the intended victim of the breach. In this respect, the decision will also concern employers who can now be vicariously liable for the actions taken by a rogue employee even with appropriate safeguards in place to protect employee personal data. In addition to civil liability, organisations may suffer further damage as a result of negative publicity and impact on share price.

The fear for organisations will now be that this decision, combined with the legislative changes made by the EU General Data Protection Legislation (“GDPR“), increased public awareness of data protection issues, and the publicity that the case has attracted, could spark a new wave of court cases from workers and customers in the event of a data breach. Whilst individuals may not themselves be entitled to significant sums, if the data breach affects large numbers of individuals, the total potential liability for organisations could become commensurately large. In this regard, it will be interesting to see how the court approaches the issue of quantum in the case against Morrisons.

The Court of Appeal suggested that insurance could be the answer to “Doomsday or Armageddon arguments” about the effect of its decision. Cyber insurance typically covers claims for breaches of confidential information; and in some circumstances coverage may also be found in other classes of liability insurance. However, at this stage the UK cyber insurance market remains in its infancy and claims experience is limited. It therefore remains to be seen how the market will react to this enhanced exposure and whether insurance will be an effective tool to offset the increased risks that organisations now face.

Importantly, this case related to data breaches which occurred prior to 25 May 2018 (i.e. prior to the implementation of the GDPR). In the post-GDPR world where there is an express right for individuals to be compensated for non-material damage (i.e. distress) it could become even easier to bring such actions, particularly where there have been findings of non-compliance by the Information Comissioner’s Office (“ICO“) (the UK’s data protection regulator). With multiple data breaches having hit the headlines since 25 May 2018 (including the Conservative Party Conference, Butlin’s, British Airways, Dixons Carphone, Facebook and Google+), it will be interesting to see the impact of this decision on future individual compensation claims and whether or not this case opens the floodgates for data breach class action claims in the UK. Continue reading

Leave a Comment

Filed under Cyber Security, Data Protection & Privacy, Digital, News, UK Law

Data protection if there’s no Brexit deal

On 13 September 2018, the UK Government published a series of technical notes setting out the implications in various sectors and areas of a ‘no deal’ scenario (i.e. a scenario in which the UK leaves the EU without an agreement), including a note specifically covering data protection. The note sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.

Transferring data from the UK to the EU

Even in the event of a ‘no deal’ scenario, the technical note confirms that there should not be any impact on the transfer of personal data from the UK to the EU and beyond. A combination of the UK Data Protection Act 2018 and the EU Withdrawal Act would incorporate the GDPR into UK law. As such, the provisions currently found in Chapter V of the GDPR, which prohibit the transfer of personal data outside of the EEA without adequate safeguards in place, would remain. UK entities would therefore continue to be able to freely send personal data from the UK to the EU, and would continue to need to satisfy an appropriate legal basis to legitimise the transfer of personal data beyond European borders.

The technical note further confirms that, “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU”. However, there is a potential sting in the tail as the technical note provides that the UK will keep this under review – once the UK data protection regime is no longer required to mirror the GDPR, it would in theory be possible for the UK Government to amend the UK rules to provide that, for example, no personal data could be transferred outside of the UK without additional safeguards in place – meaning that this could potentially change in the future. Continue reading

Leave a Comment

Filed under Brexit, Data Protection & Privacy, Uncategorized

Data protection if there’s no Brexit deal

On 13 September 2018, the UK Government published a series of technical notes setting out the implications in various sectors and areas of a ‘no deal’ scenario (i.e. a scenario in which the UK leaves the EU without an agreement), including a note specifically covering data protection. The note sets out the actions UK organisations should take to enable the continued flow of personal data between the UK and the EU in the event that the UK leaves the EU in March 2019 with no agreement in place.

Transferring data from the UK to the EU

Even in the event of a ‘no deal’ scenario, the technical note confirms that there should not be any impact on the transfer of personal data from the UK to the EU and beyond. A combination of the UK Data Protection Act 2018 and the EU Withdrawal Act would incorporate the GDPR into UK law. As such, the provisions currently found in Chapter V of the GDPR, which prohibit the transfer of personal data outside of the EEA without adequate safeguards in place, would remain. UK entities would therefore continue to be able to freely send personal data from the UK to the EU, and would continue to need to satisfy an appropriate legal basis to legitimise the transfer of personal data beyond European borders.

The technical note further confirms that, “in recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU”. However, there is a potential sting in the tail as the technical note provides that the UK will keep this under review – once the UK data protection regime is no longer required to mirror the GDPR, it would in theory be possible for the UK Government to amend the UK rules to provide that, for example, no personal data could be transferred outside of the UK without additional safeguards in place – meaning that this could potentially change in the future.

Transferring data from the EU to the UK

In contrast to the export of personal data from the UK, the import of personal data to the UK from the EU will change on exit. As described above, the GDPR restricts the transfer of personal data outside of the EEA, meaning that in a ‘no deal’ scenario where the UK is no longer a Member State or part of the EEA, entities wishing to transfer data to the UK will need to satisfy one of the available legal bases for the transfer of personal data.

One such mechanism is a finding of ‘adequacy’ from the European Commission. The European Commission has stated that if it deems the UK’s level of personal data protection essentially equivalent to that of the EU, it would make an adequacy decision allowing the transfer of personal data to the UK without restrictions. However, it has further stated that any decision on adequacy cannot be taken until the UK is a third country (i.e. until after the UK’s exit from the EU).

In the absence of an adequacy decision (or in the intervening period of time whilst the European Commission is considering an adequacy decision), organisations in the EU wishing to send personal data to the UK will need to satisfy an alternative legal basis for doing so. The most common such basis is likely to be the use of the so-called Standard Contractual Clauses. These are sets of contractual clauses approved by the European Commission and incorporating various protections for personal data. By entering into the Standard Contractual Clauses, two entities are able to freely transfer data between each other. There are also specific derogations which might apply on a case-by-case basis. For example, the transfer of data is permitted with the explicit consent of the individual data subject. However, in all circumstances, entities will need to proactively consider what action they may need to take to ensure the continued free flow of data.

Miriam Everett
Miriam Everett
Consultant, Head of Data Protection and Privacy, London
Email | Profile
+44 20 7466 2378

Leave a Comment

Filed under Brexit, Data Protection & Privacy, EU Law, GDPR, Guidance, UK Law

New reciprocal adequacy decision allows free flow of personal data between Japan and the EEA

On 17 July 2018, the EU Commission (“Commission”) and Japan concluded the negotiations on a reciprocal finding of an adequate level of data protection by both sides.

Under the General Data Protection Regulation (“GDPR”) which became effective across Europe on 25 May 2018, an adequacy decision adopted by the Commission is one of the ways which allows personal data to be transferred outside the European Economic Area (“EEA”). An adequacy decision is adopted if the Commission, after its assessment of the level of protection in the recipient jurisdiction, decides that the recipient jurisdiction ensures an adequate level of protection to the personal data of EU data subjects.

This is the first time the Commission and a third country have agreed on reciprocal recognition in respect of data protection adequacy. The other countries or territories which have been assessed by the Commission as having an adequate level of protection of personal data are all based on the Commission’s unilateral decisions (e.g. New Zealand, Canada and Switzerland). Reciprocal recognition means that not only can personal data be transferred from the EEA to Japan in compliance with the GDPR, it can also be transferred from Japan to the EU in compliance with the Japanese law.

Continue reading

Leave a Comment

Filed under Brexit, Data Protection & Privacy

NIS Directive and Regulations now in force

The EU Network and Information Systems Directive (“NISD”) was required to be implemented into national law by 9 May 2018. The UK implementing regulations (the Network and Information Systems Regulations 2018) (“Regulations”) are now in force.

The Regulations impose cyber security standards on operators of essential services (“OES”) and certain digital service providers (“DSPs”) to help ensure that cyber attacks do not damage the wider economy. Continue reading

Leave a Comment

Filed under Cyber Security